Cloud information services

ABSTRACT

A method, article of manufacture, and apparatus for processing data. In some embodiments, this includes determining a policy, intercepting communication between a user and a cloud service provider, applying the determined policy to the intercepted communication, storing at least a portion of the intercepted communication in an intermediary. In some embodiments, information stored in the intermediary may be retrieved without the cloud service provider.

FIELD OF THE INVENTION

The present invention relates generally to data systems, and moreparticularly, to systems and methods of efficiently processing data.

BACKGROUND OF THE INVENTION

Modern data systems are becoming increasingly geographically diverse.Often referred to as “cloud computing,” these data systems typicallydeliver services through the internet. For example, a server located inone country may be used to provide software or processing power to aclient located in another country.

This internet-based infrastructure allows for several benefits, such assharing of resources, freeing the user from Information Technology (IT)maintenance, improved utilization rates of resources, andplatform-independent applications, among others.

However, cloud service providers do not take into account the individualneeds of each client.

There is a need, therefore, for an improved method, article ofmanufacture, and apparatus for processing data in data systems.

BRIEF DESCRIPTION OF THE DRAWINGS

The present invention will be readily understood by the followingdetailed description in conjunction with the accompanying drawings,wherein like reference numerals designate like structural elements, andin which:

FIG. 1 is a diagram of a data system in accordance with someembodiments.

FIG. 2 is a flowchart of a method to process data in accordance withsome embodiments.

DETAILED DESCRIPTION

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. While the invention is described inconjunction with such embodiment(s), it should be understood that theinvention is not limited to any one embodiment. On the contrary, thescope of the invention is limited only by the claims and the inventionencompasses numerous alternatives, modifications, and equivalents. Forthe purpose of example, numerous specific details are set forth in thefollowing description in order to provide a thorough understanding ofthe present invention. These details are provided for the purpose ofexample, and the present invention may be practiced according to theclaims without some or all of these specific details. For the purpose ofclarity, technical material that is known in the technical fieldsrelated to the invention has not been described in detail so that thepresent invention is not unnecessarily obscured.

It should be appreciated that the present invention can be implementedin numerous ways, including as a process, an apparatus, a system, adevice, a method, or a computer readable medium such as a computerreadable storage medium containing computer readable instructions orcomputer program code, or as a computer program product, comprising acomputer usable medium having a computer readable program code embodiedtherein. In the context of this disclosure, a computer usable medium orcomputer readable medium may be any medium that can contain or store theprogram for use by or in connection with the instruction executionsystem, apparatus or device. For example, the computer readable storagemedium or computer usable medium may be, but is not limited to, a randomaccess memory (RAM), read-only memory (ROM), or a persistent store, suchas a mass storage device, hard drives, CDROM, DVDROM, tape, erasableprogrammable read-only memory (EPROM or flash memory), or any magnetic,electromagnetic, infrared, optical, or electrical means system,apparatus or device for storing information. Alternatively oradditionally, the computer readable storage medium or computer usablemedium may be any combination of these devices or even paper or anothersuitable medium upon which the program code is printed, as the programcode can be electronically captured, via, for instance, optical scanningof the paper or other medium, then compiled, interpreted, or otherwiseprocessed in a suitable manner, if necessary, and then stored in acomputer memory. Applications, software programs or computer readableinstructions may be referred to as components or modules. Applicationsmay be hardwired or hard coded in hardware or take the form of softwareexecuting on a general purpose computer or be hardwired or hard coded inhardware such that when the software is loaded into and/or executed bythe computer, the computer becomes an apparatus for practicing theinvention. Applications may also be downloaded in whole or in partthrough the use of a software development kit or toolkit that enablesthe creation and implementation of the present invention. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention.

An embodiment of the invention will be described with reference to adata system configured to store files, but it should be understood thatthe principles of the invention are not limited to data systems. Rather,they are applicable to any system capable of storing and handlingvarious types of objects, in analog, digital, or other form. Althoughterms such as document, file, object, etc. may be used by way ofexample, the principles of the invention are not limited to anyparticular form of representing and storing data or other information;rather, they are equally applicable to any object capable ofrepresenting information.

FIG. 1 illustrates a data system in accordance with some embodiments.Data System 10 includes Users 100, Cloud Intermediary 102, Cloud ServiceProviders 104, and Policy Engine 106. Users 100 access cloud servicesfrom Cloud Service Providers 104. For example, Users 100 may be desktopclients. Cloud Service Providers 104 may provide cloud services, such asa word processor delivered via the internet to Users 100, or otherSoftware as a Service (SaaS). Cloud Intermediary 102 intercepts datacommunication between Users 100 and Cloud Service Providers 104, andprocesses the data according to Policy Engine 106. Policy Engine 106contains policies that dictate how to manage the data communicationbetween Users 100 and Cloud Service Providers 104.

Though FIG. 1 illustrates only one cloud intermediary, Data System 10may include multiple cloud intermediaries. In some embodiments, multipleusers may connect to the same cloud intermediary or to different cloudintermediaries. Further, a user may include several physical machines(e.g. a network of desktop clients), or may be a virtual user (e.g. avirtual machine running on a host machine or multiple host machines).Further, though FIG. 1 illustrates Cloud Intermediary 102 to be externalto User 100 and Server 104, Cloud Intermediary 102 may reside insideusers or cloud service providers, or is local to users or cloud serviceproviders.

Having a cloud intermediary has many benefits. In some embodiments, thecloud intermediary may allow a user to comply with the user's individualdata retention needs. For example, suppose a user utilizes a cloudservice provider's email services. Further suppose the user is requiredby law to retain documents for seven years. However, the cloud serviceprovider's email service only retains emails for five years. If the userutilized the email service without a cloud intermediary, the user wouldnot be able to comply with the applicable document retention law. With acloud intermediary, the user's communication with the email servicewould be intercepted, and processed according to a policy. In this case,since the user is concerned with data retention, a policy may dictatethat all emails be archived to a storage device independent of theservice provider, and stored for a period of seven years.

FIG. 2 illustrates a method to process information in accordance withsome embodiments. In step 200, a policy is determined. In step 202,communication between a user and a cloud service provider isintercepted. In step 204, the determined policy is applied to theintercepted communication. In step 206, at least a portion of theintercepted communication is stored in an intermediary. In someembodiments, further steps (not shown) may be taken, such retrieving thestored communication from the intermediary, independent of the cloudservice provider.

The cloud intermediary may intercept and process data communicationthrough many methods. In some embodiment, a reverse proxy may be used.For example, if the user accessed wwww.gmail.com for email services, acloud intermediary may intercept the communication request from the userand redirect it to www.intermediary.com/gmail. Communication fromwww.gmail.com to the client may also be intercepted by the intermediary.The cloud intermediary may receive the emails, create a copy of theemails, and store the copy in a storage device. Once the emails havebeen copied, the cloud intermediary may pass through the communicationto www.gmail.com, or to the user depending on if the mail is outbound orinbound.

By retaining a copy of data, a cloud intermediary may also assist withdata access. For example, a user may be in litigation and required toproduce documents for a discovery request. If the user requestedrelevant data from a cloud service provider, it may take a large amountof time, and may be expensive for the cloud service provider to locateand produce the data. By having a cloud intermediary retain a copy ofthe data, the user could locate the data easily in the cloudintermediary, and would not need the assistance of the cloud serviceprovider.

In some embodiments, a user may use several cloud service providers. Forexample, a user may use one cloud service provider for email, one cloudservice provider for word processing, and one cloud service provider forcustomer relationship management (CRM) products. These cloud serviceproviders may have different data retention periods, different securityprotocols, and other differing characteristics. This may present aproblem to a user who requires all data policies be unified, or topotential users who are accustomed to having IT in-house. In someembodiments, a cloud intermediary may be used to intercept the datacommunication from the user to all the cloud service providers used bythe user. For example, the cloud intermediary may intercept all datacommunication to www.CRM.com and redirect it towww.intermediary.com/CRM, all data communication to www.email.com andredirect to www.intermediary.com/email, and so on. Depending on policy,several actions may be taken. For example, before allowing email to goto www.email.com, the cloud intermediary may authenticate the userdepending on policy. If the user's security credentials are adequate,the email may be copied, and allowed to pass through to www.email.com.If not, the cloud intermediary may retain the email, flag the email andnotify the appropriate person of a potential security breach.

In some embodiments, the cloud intermediary may be used to retaindifferent versions of the same document. For example, suppose a userused a cloud service provider to create spreadsheets. One spreadsheetmay be financial_report.xls. The cloud service provider may only retainone copy of financial_report.xls (e.g. the most recent copy). If theuser desired to access an older copy of the financial_report.xls becausethe most recent version contained an accounting error, the cloud serviceprovider would be unable to provide the user with the older and correctspreadsheet. The cloud intermediary may be used to implement a policywhich dictates that multiple versions of a document be kept, allowingthe user to search the cloud intermediary for the desired version of thefile.

Policies may be used to determine which data a user is able to view inthe intermediary, as well as which data is stored. For example, a policymay dictate that a user may view only his or her data stored in theintermediary. In some embodiments, this may be accomplished through auser interface that requires a user to input authentication information,such as a username and password. Once authorized, a user may be able tosee all data that is owned by the user. Administrator users (e.g. userswith access to see all data) may be preferable in some cases, such aswhen a corporation needs to find data stored in the intermediary that isrelevant to a discovery request.

In some embodiments, a policy may dictate that only high level employeesof a corporation may have a copy of their SaaS data stored in theintermediary, while other employees have a copy of their SaaS metadatastored. For example, when the SaaS is an email provider, metadata mayinclude the email's envelope information. In some embodiments, someusers' data and metadata may not be copied at all. This may bepreferable when the intermediary's resources (e.g. disk space,bandwidth, etc.) are limited.

For the sake of clarity, the processes and methods herein have beenillustrated with a specific flow, but it should be understood that othersequences may be possible and that some may be performed in parallel,without departing from the spirit of the invention. Additionally, stepsmay be subdivided or combined. As disclosed herein, software written inaccordance with the present invention may be stored in some form ofcomputer-readable medium, such as memory or CD-ROM, or transmitted overa network, and executed by a processor.

All references cited herein are intended to be incorporated byreference. Although the present invention has been described above interms of specific embodiments, it is anticipated that alterations andmodifications to this invention will no doubt become apparent to thoseskilled in the art and may be practiced within the scope and equivalentsof the appended claims. More than one computer may be used, such as byusing multiple computers in a parallel or load-sharing arrangement ordistributing tasks across multiple computers such that, as a whole, theyperform the functions of the components identified herein; i.e. theytake the place of a single computer. Various functions described abovemay be performed by a single process or groups of processes, on a singlecomputer or distributed over several computers. Processes may invokeother processes to handle certain tasks. A single storage device may beused, or several may be used to take the place of a single storagedevice. The present embodiments are to be considered as illustrative andnot restrictive, and the invention is not to be limited to the detailsgiven herein. It is therefore intended that the disclosure and followingclaims be interpreted as covering all such alterations and modificationsas fall within the true spirit and scope of the invention.

What is claimed is:
 1. A system comprising: an intermediary device thatincludes a processor that is used by the system in the management of oneor more services provided by a cloud service provider to a user, whereinin operation, the processor executes instructions to: access a documentretention policy which specifies storage information for documentsmeeting one or more criteria, wherein the documents specified in thedocument retention policy comprise email; intercept a communicationinitiated at one of the user and the cloud service provider and directedby the initiating user or cloud service provider to the other of theuser and the cloud service provider, wherein the communication isintercepted by the intermediary device as the communication travelsbetween the user and cloud service provider, wherein the interceptedcommunication is an email; process the intercepted communication inaccordance with the accessed document retention policy, even when thedocument retention policy is different from a document retention policyof the cloud service provider regarding the intercepted communication;store a portion of the intercepted communication at the intermediarydevice so that the stored portion of the intercepted communication canbe subsequently retrieved from the intermediary device by the user;receive a request from the user to retrieve the stored portion of theintercepted communication; and provide the stored portion of theintercepted communication to the user upon request by the user, whereinthe stored portion of the intercepted communication is provided to theuser without involvement by the cloud service provider.
 2. The system asrecited in claim 1, wherein in operation, the processor further executesinstructions to intercept a word processing document as the wordprocessing document travels between the user and cloud service provider.3. The system as recited in claim 1, wherein the interceptedcommunication is initiated by the cloud service provider.
 4. The systemas recited in claim 1, wherein the one or more services provided by thecloud service provider includes any one or more of email services, wordprocessing services, and customer relationship management (CRM)services.
 5. The system as recited in claim 1, wherein the intermediaryis local either to the user or to the cloud service provider.
 6. Thesystem as recited in claim 1, wherein the system is configured such thatcommunications between the user and the cloud service provider passthrough the intermediary.
 7. The system as recited in claim 1, whereinthe intercepted communication is generated in association with theoperation of a software as a service (SAAS) application provided by thecloud service provider.
 8. The system as recited in claim 1, wherein inoperation, the processor further executes instructions to perform one ormore of: redirect the email after receipt from the user or cloud serviceprovider; copy the email after receipt from the user or cloud serviceprovider; or after interception, pass the intercepted email to anintended recipient.
 9. The system as recited in claim 1, whereinexecution of the instructions by the processor to process theintercepted communication in accordance with the document retentionpolicy comprises executing the instructions by the processor to do oneor more of: control user access to a portion of the interceptedcommunication; or store multiple versions of the interceptedcommunication at the intermediary.
 10. The system as recited in claim 1,wherein the processor executes instructions to process the interceptedcommunication in accordance with multiple policies.
 11. The system asrecited in claim 1, further comprising deleting the stored portion ofthe intercepted communication when specified by the document retentionpolicy.
 12. The system as recited in claim 1, wherein processing theintercepted communication in accordance with the accessed documentretention policy comprises retaining the intercepted communication butnot passing the intercepted communication on.
 13. A non-transitorystorage medium having stored therein computer-executable instructionswhich, when executed by one or more processors, perform management ofone or more services provided by a cloud service provider to a user by:accessing a document retention policy which specifies storageinformation for documents meeting one or more criteria, wherein thedocuments specified in the document retention policy comprise email;intercepting a communication initiated at one of the user and the cloudservice provider and directed by the initiating user or cloud serviceprovider to the other of the user and the cloud service provider,wherein the communication is intercepted by the intermediary device asthe communication travels between the user and cloud service provider,wherein the intercepted communication is an email; processing theintercepted communication in accordance with the accessed documentretention policy, even when the document retention policy is differentfrom a document retention policy of the cloud service provider regardingthe intercepted communication; storing a portion of the interceptedcommunication at the intermediary device so that the stored portion ofthe intercepted communication can be subsequently retrieved from theintermediary device by the user; receiving a request from the user toretrieve the stored portion of the intercepted communication; andproviding the stored portion of the intercepted communication to theuser upon request by the user, wherein the stored portion of theintercepted communication is provided to the user without involvement bythe cloud service provider.
 14. The non-transitory storage medium asrecited in claim 13, wherein in operation, the one or more processorsfurther execute instructions to intercept a word processing document asthe word processing document travels between the user and the cloudservice provider.
 15. The non-transitory storage medium as recited inclaim 13, wherein the intercepted communication is initiated by thecloud service provider.
 16. The non-transitory storage medium as recitedin claim 13, wherein the one or more services provided by the cloudservice provider includes any one or more of email services, wordprocessing services, and customer relationship management (CRM)services.
 17. The non-transitory storage medium as recited in claim 13,wherein processing the intercepted communication in accordance with thedocument retention policy comprises one or more of: controlling useraccess to a portion of the intercepted communication; or storingmultiple versions of the intercepted communication at the intermediary.18. The non-transitory storage medium as recited in claim 13, whereinprocessing the intercepted communication in accordance with the documentretention policy comprises one or more of: redirecting the email afterreceipt from the user or cloud service provider; copying the email afterreceipt from the user or cloud service provider; or after interception,passing the intercepted email to an intended recipient.
 19. Thenon-transitory storage medium as recited in claim 13, wherein theintercepted communication is processed in accordance with multiplepolicies.
 20. The non-transitory storage medium as recited in claim 13,wherein the intercepted communication is generated in association withthe operation of a software as a service (SAAS) application provided bythe cloud service provider.